Your DMARC record does not include an sp= tag to define policy for subdomains. Without it, subdomains inherit the parent domain's policy, which may not be appropriate.
Add `sp=reject` to your DMARC record to protect subdomains.
The sp= tag sets the policy specifically for subdomains. Without it, subdomains inherit the p= tag policy. If your p= is "none" for monitoring, all subdomains are also unprotected.
Attackers often target subdomains for spoofing because they are less likely to have their own email authentication. Setting sp=reject protects unused subdomains from being spoofed.
See what your current policy is and whether sp= is already set.
dig +short TXT _dmarc.yourdomain.comAdd a subdomain policy to your DMARC record.
v=DMARC1; p=quarantine; rua=mailto:[email protected]v=DMARC1; p=quarantine; sp=reject; rua=mailto:[email protected]Confirm the updated record is published and test with a subdomain.
dig +short TXT _dmarc.yourdomain.com
# The sp=reject tag should be visibleAfter making changes, use our free scanner to verify the fix is working correctly. DNS changes can take up to 48 hours to propagate, but most propagate within minutes.
The sp=reject tag tells receiving servers to reject any email from your subdomains that fails DMARC authentication, even if the main domain has a more relaxed policy.
Not strictly, since subdomains inherit the p= policy when sp= is not set. But explicitly setting sp=reject is good practice for clarity.
Yes. A subdomain can have its own DMARC record at _dmarc.subdomain.yourdomain.com, which overrides both p= and sp= from the parent domain.